dig MX trstech.net makes a SERVFAIL. (The BIND resolver is set to dnssec-validation yes and uses the ISC DLV registry).
The domain is not signed and has no trust anchor at my resolver (BIND 9.5.0-P2). I cannot reproduce the problem with other similar (no signature, no trust anchor) domains. The logfile says: Nov 6 12:37:25 lilith named[22431]: not insecure resolving 'trstech.net/ANY/IN': 196.200.57.137#53 Nov 6 12:37:25 lilith named[22431]: not insecure resolving 'trstech.net/ANY/IN': 147.28.0.39#53 Nov 6 12:37:26 lilith named[22431]: not insecure resolving 'trstech.net/ANY/IN': 2001:4f8:feec::1#53 Despite the: logging { channel dnssec_log { // a DNSSEC log channel file "/var/tmp/bindlog/dnssec.log" size 20m; print-time yes; // timestamp the entries print-category yes; // add category name to entries print-severity yes; // add severity level to entries severity debug 3; }; category dnssec { dnssec_log; }; There is nothing in /var/tmp/bindlog/dnssec.log. This seems BIND specific. Using OARC DNSSEC resolvers, I see the same behavior on their BIND resolver (149.20.64.20) but not on the Unbound one (149.20.64.21).